Cloud PAM, What Is It?
Digital transformation is at the heart of organizations embracing cloud technologies. As we make this shift to the cloud, our approach to Privileged Access Management (PAM) needs to be re-defined in order to protect access to the cloud and workloads within the cloud.
Watch this on-demand webinar looking at what Cloud PAM really is, and how it can enable you to reduce risk within your environment. We cover the following key areas:
- The adoption of cloud and multi-cloud
- Protecting access to the cloud and workloads in the cloud
- What is cloud PAM?
- The different types of cloud PAM solutions
- Key Gotcha’s and things to watch out for
Chris Owen, Director of Product Management, Centrify
Chris joined Centrify in 2019 as Director of Product Management. Chris’s current role takes him around the world where he speaks frequently to audiences looking to gain insight into the world of Privileged Access Management.
Good morning and good afternoon to those who are watching from different time zones around the world. So, a little bit about me, you know, I guess to start with the basics, the British accent. So I'm born and bred in the UK. I started working with privileged access management tools in 2001. I worked across the UK government and military space, delivering PAM technologies and delivered a wide varied kind of vendor landscape and reality. You know, the world was a lot different than to what it was now, but I've had a very lucky, very fortunate career and have got to work with some great technology vendors whether it be DMZ, Quest, CA, CyberArk, Beyond Trust.
Chris Owen (00:01:12):
And about 10 years ago, I moved into vendor worlds. So, I started a vendor, world license Quest Technologies, the world, and had a great time with Quest, moved into Dell then they got acquired. And then for a while, I headed up the architecture practice at CyberArk in the UK. And then more recently at the BeyondTrust, heading up the solutions engineering team across EMEA and APAC. I joined Centrify, it's coming on two years. It'll be soon. So it's been a fantastic journey here so far, really pleased in the progress that we're making as an organization. And really, I believed in something different. And we'll explain a little bit more around what that means. What we wanted to do today was to give you a bit of insight into how the world of privilege is changing and how cloud is really driving that trend, that transition that we're seeing in the marketplace.
Chris Owen (00:02:16):
Then some of the key things to watch out for as you yourselves embark on this journey. So, if we look a little bit around the adoption of cloud, and specifically multi-cloud, is this is one of the biggest shifts that we are seeing in the space at the moment how we are painfully aware of emerging technologies and really reshaping our world. A good example of this is cloud technologies. Organizations like yourselves are increasingly moving workloads to the cloud. And this is really to achieve a few things, generally agility, flexibility, and certainly cost savings. If we look at the average spend on cloud, it's estimated to grow from 2020 its around 50 billion to around 74 billion for 2022. And that's the figure that Gartner is putting out from an industry point of view. And a lot of people describe this trend as digital transformation, and that's simply to rethink old operatings, to experiment more, to become more agile and your ability to kind of respond to customers and rivals from a competitive point of view with new modern technologies. And simply digital transformation is imperative for businesses with all sizes, whether it be small, medium, or large enterprise, but extending the old technology stack and store an endless mountain data leads not only to complexity, but also challenges across your business organization.
Chris Owen (00:03:55):
Some of the interesting stats around cloud as organizations embrace cloud technologies, we're definitely seeing a rise in the number of organizations who are adopting multi-cloud strategies rather than looking at a single vendor. Obviously risen greatly this year because of the global pandemic that we're all obviously going through at the moment. And many organizations have really moved to this remote working model, a lot of the time being forced into the model by various government regulations around the world. And the interesting thing about this transition, it's certainly forcing some to transition in a hurry and obviously many organizations haven't quite had the time that they want to be able to plan and secure their environments. From a statistics point of view, there's a lot of work, whether it be through Gartner, Forrester, et cetera, to look at the cloud transition.
Chris Owen (00:04:51):
The key thing for me here is really through 2020, 95% of infrastructures and service failures will be the customer's fault. That is a really scary statistic. You know, it's, hopefully it's not Gartner saying, everybody is messing up because we all know as humans mistakes happen, right? And it doesn't take a bad person to make a mistake. It takes a human being to make a mistake. But the key thing for us, as a privileged access management vendor is throughout those faults, more than half are going to be attributed to inadequate management of privileged identities, access, etc. That's really a key thing in the market. Now, one of the biggest inhibitors of cloud transformation is ultimately shared security concerns. And when we look at are they justified, it's not necessarily, but when you're transitioning to the cloud, everyone involved has to understand that cloud security is a shared between the cloud service provider and the customer, ultimately yourselves. As shown in this example, the cloud service provider in this case, it's Amazon shared security model, is typically securing the core infrastructure and the services as part of the shared responsibilities, but securing the operating system, the platforms and the data ultimately remains your responsibility.
Chris Owen (00:06:22):
And it's really key to remember these shared responsibilities and not believe that the cloud service provider is solely responsible for cloud security, because they are not. And if we asked them, we are certainly opening ourselves up more to an attack.
Chris Owen (00:06:40):
Now, when we look at key threats, key threats is an interesting one. You know, cyber adversers have long moved to beyond network layers when kind of mapping out their attack vectors. This slide shows some of the key threats that cloud environments are facing, whether it be brain shifts around distributed denial of service attacks, malware, ransomware to credential-based attacks, but ultimately the easiest way for an attacker to gain access to sensitive data is by compromising an end user's identity. You know, this is still the easiest routine for them. And things get even worse. If that identity belongs to a privileged user and may have an even broader set of kind of access requirements and ultimately give the attacker, the keys to the kingdom as such. The key thing here is that, you know, an attacker is not going to traverse a network calling themselves hacker 1. They really are going to compromise an existing users’ credential so that they can transform and transition the network undetected.
Chris Owen (00:07:49):
Now, there were quite a few examples of this, and it's important to understand that it really only takes one credential. We can't get complacent and think that we are doing the minimum satisfied tick box from an audit point of view because it only takes one compromised credential to impact millions. And that could be, millions of data records, millions of fines, millions of intellectual properties. A good example was an attack here relatively recently, a OneLogin whereby an attacker obtained and used a highly sensitive key for the vendors, Amazon hosted cloud instance. And they retrieved that key from an intermediate high extent, effectively breaking into its service, using a front door key. And it's one of many examples that you can find for out the worlds that go on now that all relate to it's kind of cloud technologies or cloud environments. It really is essentially opening up multiple pathways into our critical data like we've never really seen before. Now when it comes to breaches all roads lead to identity, right? Hackers don't hack in anymore, they login using weak, default stolen or otherwise compromised credentials. And Forrester states that prevalence financial abuse or misuse is at the heart of around 80% of breaches.
Chris Owen (00:09:13):
But there are still so many organizations that have not started the privileged access management journey as yet. So, if we look at this example of the attack life cycle, some people call it the kill chain, however you want to refer to it. There are really three main phases to this. First is to get inside the network. It's really the easy part, actually. There far too many holes for us to protect, and we may be security professionals. We may have security budgets, and we may have a lot of time, energy resources, but the attack has got far more time than, than we have. You know, they can sit there for days, weeks, months, years trying to probe and find a way in. And unfortunately, quite often they do, whether it be through humans or whether it be through technology, but it seems easy for an attacker to go onto Google, to download all of these tools sets.
Chris Owen (00:10:05):
And in fact, you don't have to be a hacker to do that. You can be anybody. So, tools such as MaxPlay Mimi Katz, freely available. Anyone can download it and use them. So, we have to have the mindset that everyone inside then we let's see. The zero trust actually assumes that they are on the inside. And that's when our security kind of architecture really begins, and we have to kind of think differently. They, on the inside, they may move laterally around. So, we call that the kind of fan-out phase, where they move in between machines, elevating credentials as they go. And then ultimately they want to exfiltrate data. Now, ultimately, I'll stand posture for this is that cloud has kind of changed things, right? We've gone from a world where 18, 19 years ago, privileged management was focused on bricks and mortar, is focused on putting in vaults in our data centers, protecting access to that. But as organizations have embraced cloud technology, then our attack surface is expanded.
Chris Owen (00:11:15):
And that there's a couple of things that you can do with privilege management tools that we'll have a look at coming up shortly, that kind of looks such, do we look to embrace new cloud technologies? Do we look at the native tool sets that these cloud providers have? Or do we look at kind of lift and shift model of moving our cloud technologies into these platforms? Or do we look embracing new technologies that were more born in the cloud? When we, when we think about an attacker's viewpoint, we need to look at what our users have access to and how they have access to those systems. Our work has traditionally, in this model access and data center, whether they be technical users or not traditionally, that's where all of our data is stored.
Chris Owen (00:12:11):
If they're a privileged user, they will use protocols such as RDP, SSH, et cetera, to gain access via trusted paths. And as we've embraced new technology, new ways of working we now got remote workers coming in using trusted pathways into our data center as well. That on top of cloud, ultimately all we've done is create more and more trusted pathways. And it's these trusted pathways that are critical for an attack. And so traverse and network going on undetected. So, what can we do about this and what are the new things that we must look out for in the privilege world due to looking at kind of cloud technologies? So next up, we're going to look at a couple of key themes. One is, you know, protecting access to the cloud and the other is really protecting workloads within the cloud.
Chris Owen (00:13:05):
And these are really two critical use cases when we embrace cloud technology. The first one here is protecting access to the clouds. And what do we mean by this? Well, when you sign up to a cloud provider, you specify an email address, a password gets tied to your root user account. And then ultimately, you'll go through a series of steps that help you protect that account. And, the steps are quite interesting. There’re some best practices associated with every cloud provider out there. When you sign up for this root account, traditionally, what it will do is allow you to apply MFA to it. And then along comes a password vault and the password vault kind of says to you, Hey, I want to protect that root account and I want to manage it for you. Well, it's a bit of a misconception to me in the privileged world, right?
Chris Owen (00:14:05):
How can a vault login and AWS route, if AWS is applying MFA? It can't, it's simply can't because the vault can't log onto it and apply the MFA code. So, what traditionally happens is PAM vendors will kind of say to you, you know, okay, we'll remove MFA from AWS because you've got MFA at the vault. And that honestly, that scares the life out of me because you're basically removing the lock from AWS. And yes, your role may be able to manage AWS root and it may have MFA associated with it, but you've now got no security on the front door. That to me is absolutely crazy. So, we're going to look at some interesting things here about how we do things a little bit different. There's protecting access to the cloud, whether it be root account credential management, Federation feed, user log on, and the fact that we want to weaken our security.
Chris Owen (00:15:03):
The other thing that we wanted to do is really protect workloads in the cloud. And it, cloud by nature has a lot of ephemeral workloads. By that, we essentially mean it's a little bit different than running a data center. In a data center, we know what resources we have. We buy servers, we rack them, we cable them, we install applications on them. And we should be able to tell you what a fairly accurate degree of accuracy, how many servers we have, but in the worlds of DevOps and infrastructure as code and things like that, nobody knows how many instances they have running in AWS or et cetera. Maybe the finance people do from a billing point of view. But the whole idea of the cloud is, it's elastic. It grows and it shrinks. So there's some very different challenges associated with protecting these workloads in the cloud.
Chris Owen (00:15:59):
And quite often, traditional privileged access management controls don't really apply. We've got to think about, okay, how do we authenticate those workloads in the cloud? How are we protecting any credentials that those workloads may use or have? And how do we ensure that we're enforcing multi-factor authentication on them? So, we're not leaving any weak points within the security or the boundaries of those systems. So to look at these use cases a little bit more, the first thing that we need to think about is really how we protect access to the cloud. The key problems that we have is cloud management consoles, think of the Azure management console, and the AWS GCP management consoles, they literally have full administrative control over all cloud infrastructure and services. Right? And if we think about who's got access to those and who has access to those keys, we have seen some crazy, crazy situations where lots of different business units have had access to these root accounts.
Chris Owen (00:17:04):
And I've never seen anything like it in my entire career. You know, sometimes, finance teams, having AWS root and things like that. And you can understand it potentially from a billing point of view. But for me, it's giving somebody the keys to the data center and not having any security grounds. You know, it's hard to, for me to get my head around. I'm very much used to access control in data centers and turning up, and you've got a swipe card key to get in. You have to sign all these books. Somebody will escort you to rack, make sure you're on the right server and things like that. And now, and in the cloud, once you can access a data center with a username and password, but that's scary from a security perspective. So, we've got to look at how we protect access to those.
Chris Owen (00:17:54):
The other thing is, the tools that all staff are using now to access cloud environments. So, the whole concept of, you know, DevOps, DevSecOps, et cetera, it's a bit of a mouthful. But essentially now, what used to be infrastructure or server support people or engineering. That's really transitioned into, let's say DevOps. And really this is a bunch of super clever people that are building things using code. Whereas, in the olden days we used to buy a server provision, it patches deploy an application that can be done in code now. These extremely clever people that most organizations have made, they use various different tools, various different management consoles that ultimately have access to our cloud environment. So they can do all of these kind of things.
Chris Owen (00:18:54):
I call it wizardry mainly because I don't understand the half of that. But it's, it's interesting to see, it's interesting to view the world as it is now and how, how agile people are in the use of kind of these tools and what they can do with them. We need to look at securing the consoles, securing the kind of CICD pipelines that are people using the tools that they using. So, from a solution point of view, we need to ensure that we are at a start doing admin of root account management. And this really goes down to vaulting credentials, rotating them, or auditing single access and applying MFA. And my serious word of caution here. You know, some of you on this call may be customers of a vault does have competitors. That's no problem. You know, the vault has been seen as essentially a commodity market.
Chris Owen (00:19:50):
My best bit of advice to you is don't move that I came into out of the control of the cloud provider. Don't move it under the full control of the walls because you will guarantee you will weaken the security of your cloud provider. I'm really proud of what our engineering team and our product management team has done in this area. You know, we have a concept of assisted account management. So we'll store that account in our roles. We will actively reach out and change it, but we've built this really cool capability. You know what I mean, to a browser extension where we'll actually automate it, but stop for the MFA prompts. So we always need a user to help out during that change process. And I think solves a major problem that we have.
Chris Owen (00:20:43):
I think if we look at staff access, you know, DevOps tooling and things like that, again, you know, the common kind of controls that you would see here is, is always vaulting. Typically your DevOps use cases would use federated access. So don't create your local IAM users in these cloud providers. Let's use Federation and let's always audit access and changes. When it comes to workloads and infrastructure in the cloud. The key difference here is that, as new servers and containers are created, they really become the most granular security boundary for our business data. And we have to protect these. And the issue that we have with cloud resources is by nature. They are designed to be, ephemeral, you can spin up an instance and you can spin it down in a matter of minutes, hours, days a week.
Chris Owen (00:21:40):
So, it's really not like buying a server or waiting six weeks for it to be delivered as another two weeks for it to be wrapped in cables. And, you know, luckily those days are gone. But I think the very ephemeral nature of the workloads that we have now is a cause for concern from a security point of view. So when we look at controls that we can apply to protect workloads and infrastructure in the cloud, the first thing that comes to mind is enrollment. And this is a really interesting concept in the world of privilege. So if we think about mobile device management for a second, right, if you join an organization, you have a mobile phone. One of the first things that you do is often enroll that within an MDM solution for that company, you know, it will do a certificate exchange.
Chris Owen (00:22:33):
It will trust your mobile device. You may have to install some software that puts a sandbox on your phone, but ultimately there'll be a central policy server that applies a policy to your mobile device. It protects it, it secures the data on it. And if your mobile device is stolen, your workplace can delete the contents of your phone, or at least the sandbox. Now imagine doing that with servers. So, in a cloud world, think about enrolling a machine in a platform and think about then protecting that machine and that workload with the PAM platform. It's, for me, it's something that I think we could have done in the early days of privilege. I'm not quite sure why people haven't thought of this concept and it's kind of MDM for servers before. You know, we've always very much focused on the privileged element.
Chris Owen (00:23:28):
And it's quite an interesting thing, but if we look at things that we could do, so we look at enrollment, how do we enroll devices into our PAM platform? And how do we do it when they ephemeral? How do we handle a kind of vaulting of admin credentials on the ephemeral machines? How are we enabling just-in-time access to those machines? How are we handling MFA? And the final bit is around machine-to-machine authentication. So, a couple of critical capabilities that we advise that organizations should look at here. And some of the more interesting things from the [inaudible] kind of communication happens. A lot of machines in the cloud are used for applications. So, you'll generally find machines talking to machines, applications talking to applications. And, in a typical old data center architecture, you'd have a kind of web layer presentation layer talking to kind of database storage, et cetera.
Chris Owen (00:24:37):
And this is no different with the cloud. It's just often the service talking to another service. And we have to look at how we secure these communications. One of the big things that I've seen change in the last kind of six months, I would say in the cloud world, is that we're starting to see technologies leverage machine to machine authentication, rather than AAPM type use cases. And by that we mean application to application password management. So, scripts applications, making the call to our vault, using a username, password API key to retrieve credentials for that script. For me, we look at that problem and scratch my head when I look at it, because I think, okay, I've got an application that needs a credential. It makes sense to store that credential in the vault, but in order to allow the application to retrieve it, I'm putting a line of code in the application that has a username password and API key.
Chris Owen (00:25:38):
I've just created a side door into my vault, and I'm doing that for every application that I've got and, but kind of feels a little bit backwards in that methodology. So, you know, the rise of machines protecting themselves and machine authentications that communicate with the vault has been one of the great transitions that we've really seen in this kind of cloud journey over the past six months. If we look at what is cloud PAM, you know, what's the big differences? What have we seen as much transition points of view? There was the last 19 years that PAM has really been a kind of technology stack. For me, when I think about cloud PAM, the first thing that I think of is a service. You know, the solution must be available as a service. It must offer, you know, subscription-based licensing rather than the old kind of model of perpetual.
Chris Owen (00:26:35):
It must be available to communicate with my on-premise environment, with my multi-cloud strategy. And I shouldn't need to manage it. I shouldn't need to patch it. I certainly need to worry about updating it, all the maintenance of it. And obviously we all want the high nines availability and 99.9, at least, often four nine, sometimes five nines. Some people want from an availability standpoint, you also want it to be hyper-scalable. What do we mean by that? Well, this needs to grow as you do. You know, ultimately it's a vendor's responsibility to shoulder that infrastructure burden, the cost of etc., that you want to ensure that as you grow and as your use cases grow that the PAM solution is going to grow with you and it doesn't contain any bottlenecks. You may want it to be multi-tenanted, you may think that you're subject to kind of making acquisitions and things like that.
Chris Owen (00:27:33):
And you may want to have a central management console that have separate sub-tenants out there. And then when we look at what do I need to install? What is it I need? What's my footprint? The key thing is to not really have a footprint. If you're using a SaaS service for a privileged access management solution, the last thing that you want to be doing is having physical servers on-prem, or lots of components you need to enable secure communications. You also don't want particularly inbound firewall ports and things like that. What you'll see with a lot of SaaS PAM solutions and especially the platform plays, you'll have the concept of a connectors are very lightweight in nature, and we see different things from different vendors. Some need dedicated hardware, some use terminal servers, some have different connectors for windows to what they do for SSH, for instance, and some bundle a whole bunch of capabilities into a single, lightweight connector. So, have a look at them, have a look at their capabilities, but things to me to look out for: You want the lightweight, you want them speaking outwards out of your environment, and you want them to be the only thing that you have to install within your environments.
Chris Owen (00:28:59):
If we look at them different types of cloud PAM solutions, because they're really different types. The whole idea of this session is to really be kind of a bit more educational and telling you some of the key things for watch out for as maybe your embracing cloud technologies, as you're going on this journey. What are the key considerations and key things to watch out for? When organizations embrace cloud technology, what we have the last six, five, six years, is first and foremost, the lift and shift model. And I think a lot of organizations, that's in the early days of cloud technologies. We looked at it and thought, can I move my data center into the cloud? And we pretty much replicated the setup. Because we did this, we realized that, hold on, I'm not really getting economies of scale.
Chris Owen (00:29:53):
This is generally costing me more than what the data center did itself. And we see a similar approach with PAM tools, right? We see some organizations that move our existing towards to the cloud. And it's been an interesting journey. I think, certainly a lot of the conversations we have or a lot of the feedback that we get is by organizations saying that they've really increased the number of resources required to support their PAM technology. It's not been a simple transition mainly because of actually the different types of architecture that you get with cloud platforms. Typically, you have the concept of, let's say VPC, virtual private cloud, you could design it like a subnet and you could design it like a mini data center, but typically you would need to put the components for your PAM tool in each of these distributed VPCs.
Chris Owen (00:30:50):
So, you could turn a situation where you have 10 servers supporting an on-prem deployments, PAM tool or quite easily into 40 or 50 servers when you embrace cloud technology very easily. So generally, you know, as a rule of thumb organization center grow rather than shrink their infrastructure footprint, when they do the lift and shift model, it really doesn't work for the cloud because that ultimately means really paying the price of it. So the next kind of model is really the cloud native model. And by cloud native, you know, when you sign on to a particular cloud platform, each cloud platform now has a series of tools. And actually, you know, they are really good tools. I'm not going to say anything bad about them. When you look at all the major kind of public cloud providers, whether it be a Azure, GCP, AWS, each one has an element of privilege management.
Chris Owen (00:31:50):
Each one is trying to address security risks associated with users, having privilege, whether they're doing something with an ephemeral certificate, with the secret vault capabilities, whether they're purely doing kind of directory sync data, et cetera. And the cloud native approach is an interesting one. I think a lot of organizations certainly start here and I don't think that's the wrong thing to do. Certainly, the conversations that we have with organizations who try this, some of the key challenges they have is the fact that they've got separate and distributed systems for vaulting. They may have an on-premise vault solution, enterprise password vault, they may then adopt, you know, a secrets management in each of their cloud providers. And all of a sudden you could have four different password vaults in play, four different management consoles managed by different teams with different security standards.
Chris Owen (00:32:49):
And you consume, see how this leads to kind of identity sprawl and generally, you know, a security personal compliance person's nightmare, because now you've got load visibility over where, you know, these privileges are managed and how they're handled, as well as the stats. Usually enterprise directory access is a big thing, and this is mainly due to have organizations adopt cloud technology rather than the fact that they are adopting yet. So, when we embrace cloud technologies, we look at who has access to it and what can they do. And traditionally that could be infrastructure. People have DevOps people. They may be the same teams, but it's very rarely security teams that have access to these platforms and really look at security of them. They may mandate certain controls that must be in place. They may form all the client's checks and things like that, but it's very rare.
Chris Owen (00:33:46):
They will be hands on and kind of configuring things. So, we're unsure as to how authentication and authorization and things like that are managed. It's quite often not our directory accounts that we're logging on to cloud resources with. It's quite often that VPN is required for accessing some of these resources. There's whole bunch of concerns that people have, ultimately. The third approach is really PAM-as-a-service, you know, using a SaaS-based solution, then usually, modern PAM-as-a-service solution would offer a centralized password vaulting solution or platform to really tie in multi-cloud environments. Along the frame, you'd have a centralized form of secrets management platform, service account management platform. And really the key is consolidation, right? We all want a single interface. As much as we hate the term single pane of glass, it really applies in this model, right?
Chris Owen (00:34:53):
Because we've got multiple let's call them data centers, multiple providers of those data centers. We want one single tool to sit in the middle and to be able to communicate with all of them and to be able to kind of manage them all as one. This there's never a quick and easy way of doing something. There is always pros and cons to everything we do in life. What are the key gotchas with these kinds of models? We'll look at the lift and shift approach. We'll look at the cloud native and look at the PAM-as-a-service approach. And we'll kind of see what are the key gotchas with each of these. If we looked at the lift and shifts, the expansion of port, so moving our PAM tools into the cloud, ourselves and maintaining an on- premise, the key thing really is each VPC site. Each provider will ultimately need to these capabilities installed within them.
Chris Owen (00:36:03):
Traditionally, what we'd have is a whole bunch of on [inaudible] on prem environment, and we'd have to then install these components in our cloud because of the way that we architect our cloud solutions. And we have, virtual, private networks, that's all private data centers, whatever you want to call them. We have multiple sites where we need these components. If we don't, what we'll end up with is firewalls like swiss cheese and communications going a bit kind of crazy and wild. So when we look at the drawbacks of lifting and shifting our existing on-prem technologies into the cloud, the things to look out for is how many servers are you actually going to be required to have in your cloud environments? It's certainly not going to be one, it's certainly not going to be two. So, you need to look at how many are you going to be required to have, how much is that going to cost you? Cost is really the critical thing.
Chris Owen (00:36:57):
If it costs more than running your data center yourself, you are not really using cloud in the right way. Look at the suitability. Most on premise solutions are really retrofitted to support cloud use cases. They're not cloud native, be cautious of that because if you're using basic things, a session proxy in the cloud, for instance, if you look at the resource requirements to run that, if you look at the whether it needs terminal services, terminal server licenses, all of these things add up from a cost point of view. So be aware of them. Also look at whether you need VPNs. If you need VPNs, any form of directory sync, again in a modern kind of fashion, the modern PAM stack, all these things can be avoided now so try not to go down that path. From a support point of view, as yourself as an organization, how do you support the exponential growth of these solutions in the clouds? All of a sudden you've got a lot more infrastructure to support and look at then how you update and maintain the solution. It's not easy to manage servers these days. And certainly, a lot of organizations are trying to move away from that model.
Chris Owen (00:38:17):
If we look at the cloud native approach, cloud native is by far the biggest thing that I think we see organizations that try and do a little bit with the native capabilities that public cloud providers have internally. And, the feedback that we gain on that is that people tend to see an identity silo kind of crisis happen where we've got an on prem directory system, traditionally active directory, you've then got, you know, AWS that has IAM users. You may then have some Azure AD and it's really, how do you tie all of these things together? You know, he's in GCP, you may have physical directory in there as well. So avoiding kind of identity silos is critical. But the approach to native clouds, does tend to see the creation of identity silos, the duplication of active directory into these kind of cloud platforms.
Chris Owen (00:39:20):
Sometimes you'll see site to site VPNs being required, and ultimately leveraging a free infrastructure as a service providers PAM capabilities. And sometimes they're good enough, I'm not going to say they're not. It really comes down to the controls that you need to have in place, how you want to manage it. Some of the biggest drawbacks we perceive in this, is really a cost point of view. Yes, the tools themselves are free, but ultimately you require headcount cost and that's quite often prohibitive. It's a very different skill set, managing AWS resources than what it is a PAM tool. PAM tools you traditionally, you fold into either the IAM team or the security team for management. AWS needs some specialist skills a lot of the time to get things configured the right way, as does Azure and GCP and any other cloud provider. Um, site to site.
Chris Owen (00:40:18):
VPNs is within cloud tools are often really not affordable can be cost prohibitive. From a maintenance point of view, definitely duplicate efforts required to setup across multiple kind of cloud VPCs, multiple SaaS providers, multiple kinds of public cloud platforms. So just be aware of how much effort these things can be to set up in a multi-cloud environment. There are often limited migration capabilities. So, each one, each public cloud provider would kind of be a siloed instance that you need to manage. That ultimately gives you lack of centralized management, which gives you a lack of visibility and the potential for blind spots to, to occur.
Chris Owen (00:41:07):
The final approach is really cloud PAM-as-a-service. I think looking at the leaders’ quadrant across the common space. Every vendor in that leader's quadrant now has a SaaS capability across their PAM stack. And I really think the world of PAM is shifting to SaaS. And there's many reasons why that is a good thing. You know, certainly cost, it's the least expensive approach from a resource and headcount perspective. But the biggest thing by far is maintenance. We’ve seen some very big infrastructure footprint deployments of PAM tools over the last 18 or so years. Simply the volume of servers required to support PAM technology is huge. The management, the upgrading of them and things like that. It can become a nightmare for a lot of organizations. So, go with a SaaS provider that gets your multi-tenanted solution, maintains the solution for you and all of the underlying infrastructure, all of the upgrades and things like that.
Chris Owen (00:42:16):
And the fact that these solutions are going to be scalable. You know, you often find the SaaS solutions built on whether it be Azure, GCP, AWS, it makes no difference where these tools they're even hosted anymore. What matters is can they manage by most kinds of environments? When I think about security, we are a PAM vendor, security is our business. It's our job to make sure that these environments are secure. So, for us taking that headache away from you and us then taking the burden on ensuring these solutions are secure. It really, if it was on the customer side still, it would give me happy that I didn't have to worry kind of about that thing anymore.
Chris Owen (00:43:05):
So to wrap up on a couple of things here, before we look at Q and A, you know, from, from a maturity model points of view privilege, hasn't changed in terms of its maturity model over the last kind of seniors that I've seen. The key elements have always been going after the quick wins. And the quick wins always start with vaulting. You know, vaulting enables you to randomize all of the passwords that are generally, always the same on every single server out there and get rid of those kinds of shared accounts and consolidate access to them. So bolting is critical to any PAM program. I can honestly say, I've worked in the privilege space obviously for 19 years now. And something strange happens every time I speak to somebody involved in PAM programs. And one of the interesting things is how many organizations sail to get past vaulting.
Chris Owen (00:44:09):
And I really see this as a critical thing, right? And I think vaults are often misused. And I think that leads to a problem, especially when it comes to users and their privileged accounts, I don't think vaulting is the right approach for those accounts. Really the key thing for me and PAM is this point here: identity consolidation and least privilege. So, when we think about identity consolidation, right? One of the goals of privilege: reduce the number of privileged accounts in my estate. If you don’t perform identity consolidation, how do you reduce the number of accounts you can't just go and delete them because obviously they are in use, they used for something. When you think about risk reduction, well, it's really least privileged that enables you to reduce risk.
Chris Owen (00:45:01):
Would you say privilege from somebody's kind of account. But quite often organizations don't get to this second point and that's because they get too hung up on vaulting and to hung up at getting stuck at various stages within vaulting projects. To me, this point to here is the absolute critical one for risk reduction, when it comes to privilege management. Point 3 is really, the final hardening, to be honest with you, it's very rare that organizations actually get to this endpoint. I think it's a blue sky goal that I think we absolutely need to have. I think it's something that certainly regulated environments need to need to do, and you need to have, but I don't think it's needed for the majority of people. I think if we can cope with kind of the vaulting and the identity consolidation piece, that's really key for us in moving forward from a security risk point of view.
Chris Owen (00:46:01):
One of the other things that we often hear is really the confusion in the markets around privileged tools. And I think we as a vendor space, we have caused a lot of confusion in the market with acronyms different names for things. And it's a little bit crazy to navigate the world of privilege. It doesn't help that analyst often call things by different names as well. There is some confusion there, but you know, some of them, some of the big acronyms that you likely see is starting with PAM itself. What does PAM mean for privileged access management? People often forget that it's access management. It's not account management. It's not just about privileged accounts. It's about access. How is that access to used? When you talk about PIM, it's more about identity management, privilege identity management.
Chris Owen (00:46:58):
Then you've got things like PAS privileged account security, its access security, different vendors use it interchangeably, then more into Gartner terms. So PEDM, privileged elevation delegation management. This is all about least privilege. PASM is your typical kind of vault and session proxy. So privileged account and session management. We've got terms such as PSM. So, privilege session management, PXM, and it could be privileged anything management, that it's a little bit of a strange one. And then into the new world of terminology, PTA privileged task automation is something that I think this year in the PAM space we are going to see a lot of potentially even some consolidation across the [inaudible]. But we are already starting to see a lot of the integration use cases with tools such as UI path from an automation point of view. PAC privileged accounts or previous access compliance.
Chris Owen (00:47:57):
All these things proved its identity and access management. And then after the case application management, there is a whole myriad of acronyms within this space. You know, we still see something where we scratch our heads and think no idea what that means. And that will probably continue, but that's a quick glossary for you and if you've got any more acronyms, just let us know, you know, we're always happy to read more and to be able to educate people more. With that being said, let's kind of end this presentation point of view. You know, it is designed to be a one-on-one series. This is more on the educational side and more technical ones. But I really appreciate everybody's attendance and we do have some questions in the Q and A box. So if you have some more, please feel free to write them in.
Chris Owen (00:48:50):
And we'll go through this now. So, one of the first questions that we have is really, from Chris. So good morning, have you considered biometric authentication, so voice face, et cetera, to help alleviate the login and password risk? Absolutely. We certainly do. And I guess I'll choose my words carefully here because a lot of organizations promote biometrics without actually doing a true biometrics. I like the fact that you've put voice basic, et cetera, on that. From an integration point of view with MFA providers, we're a member of the Fido2 Alliance and we support kind of on-device biometrics. I'm going to call it so that because your lovely phone provider and things does the same. So yes, we can do, you know, whether it be fingerprints, whether it be face unlock, but I do think we're going to see a lot all from biometric.
Chris Owen (00:49:58):
There are some really cool things happening in the market with biometrics, whether it be deep vein analysis, whether it be voice analysis and things like that. So, yep, absolutely. I think we will be tying that to more ephemeral-type tokens for authentication in the market as well. So next steps give your, does so apologies. I've pronounced your name incorrectly then. So can explain a bit more on MFA, certainly say multi-factor authentication. So traditionally, when you, when you log into something, you've got a username and password, so that's something that you know, and that's something you know could often be static in nature. It could be the credential that multiple people know it could be a credential that’s been the same over so much time. So you kind of have what's called multi-factor authentication where you've been bind the something that you know, with something that you have.
Chris Owen (00:51:05):
And that's something that I have is a multi-factorial authentication, prompt, some push notification on my phone. It can be the old style kind of credit cards with a number on, but it's a secondary factor of authentication. And some for me, I see a huge risk in, in cloud. When people sign up to cloud providers, you get a root account. So that's the key to your data center and it can be accessed for the username and password. Now in best practice, when you sign up to cloud providers is apply multi-factor authentication to that account. The public crowd providers often provide those capabilities, or they'll tell you to use an authenticator app on your mobile device. But then when we look at how vaults work, vaults reach out to talk to a system and then we'll use a protocol or, you know, some web automation to reach out and to change a credential on that device.
Chris Owen (00:52:06):
But they can't do that if there's MFA applied because they don't have that something if they don't have that code, you know, a PAM solution just has a credential. So, trying to log in using that credential and it will try and rotate the password. So, the advice that I've certainly seen in the market and that we've been told about by various kind of prospects and customers is that PAM vendors are saying, okay, or don't protect that account using MFA from the cloud provider, we use it at our vault. And I just think that is crazy. You know, it's one of the worst security decisions I think anyone could ever make because you're taking that lock away from your data center. And what we've done is shift the accounts into a vault. And we removed all of the security from the front door. It doesn't make sense.
Chris Owen (00:52:58):
So, I think as I mentioned, we've done a really smart job of providing a way around that and a way to do it in a secure manner. So next step what could be the downside of using cloud as a service going for a SaaS approach versus the other two approaches. That is a really good question actually. And the biggest thing is actually mentality. And I think that's the biggest barrier we've really seen that people are very much afraid because they are thinking, okay, we're going to put credentials in the cloud. And then to be honest with you, as soon as you start using cloud providers, you've got credentials in the cloud, the so don't think of a SaaS solution as you're moving your credentials, on-premise into the cloud, you're already doing that. Do people want to manage servers? Do they want to manage software? Do they want to manage upgrade processes, procedures? Nobody wants to do that anymore. I think the as a service model is all positive. That’s not to say customers don't come to us and say, Hey, we need this on-prem. There are definitely highly regulated areas and businesses that need to be on-premise. That's that's the biggest thing I would say.
Chris Owen (00:54:30):
Question from Greg. So, thinking that you mentioned browser extension requirements. So yeah. This is a capability that Centrify had a while ago when we were in the IDaaS business. We have this browser extension that could do form fill. And you know, when we look at cloud technologies, now, if we look at, let's say AWS root, as an example, so what we've done and what we've come up with this really neat way of managing root within our vault, rotating it. But the browser extension that we have, and it in preview mode at the moment. We are beating it internally and enabling it for certain customers, this browser extension that we have, will ultimately do the log on to the AWS website. It will do all the automation and it will prompt the user within your business that you need the MFA code before it can go a step further with the AWS root password management, but it's the browser extension that's doing all this work.
Chris Owen (00:55:32):
You could do this locally on your computer, or you could have it on a hosted browser if you wanted it to be more secure on some things like a terminal server. The next question that came from Greg: does Centrify require a third party tool for MFA enforcement? or do we have our own tool available baked in? We actually already MFA provider. We have our own MFA solution built into our platform, but we can also integrate with third parties as well. We can do either. And, you know, we can fit in if people use their own authenticator outs or biometrics on the mobile devices, we can use those.
Chris Owen (00:56:16):
So how does decentralized identity blockchain identity impact PAM solutions and implementation methods? This is one of my favorite questions to answer. And I'm definitely not going to have four minutes, but let's give it a go. So decentralized identity is going to be one of the biggest nightmares, but greatest saviors for security people moving forward. And, we have many conversations on this internally and I think personally the way decentralizing identity and decentralizing storage of things like credentials is going to be the future. Right now, where we are is very much in a centralized approach. I think we're starting to see with DevOps, the move to is decentralized identity approach, but I don't think we're anywhere near its potential at the moment. I think it's going to be a major headache for security people. And I mainly think that's because it's going to take a lot for people to get their head around.
Chris Owen (00:57:30):
But I've had some interesting conversations with people who work in a blockchain world. And I think if we use that technology in the right way, I think there is a lot of potential in that area for privilege to move beyond these ephemeral tokens where we are now, that's really, that's the next iteration of is using a ephemeral tokens for access, but I think we can potentially move to more of a blockchain method for verification of identity and using almost the distributed legend model to prove an application is who it says it is. And I think its value is going to be an application communications or service to service communication as well.
Chris Owen (00:58:20):
So next question for Jimmy and the market is moving towards digital identity, how combined biometrics be used for authentication and the identity information will be stored in vaults. Absolutely. So, the market is a lot of infrastructure, a lot of code, a lot of applications. So isn't so definitely the reason move to digital identity. It kind of ties into the last question that we had on blockchain and the future and the evolution of privileged evolution of identity, evolution of authentication. The world of vaults, right? I can definitely see a world where the vaults shrink. The vault becomes decentralized in its nature, but I always think we're going to have vaults. You know, we're always going to have some form of credential somewhere, and that could be a token. It could be a temporary or an ephemeral token in its nature. It could be a token that split across a blockchain that multiple kind of legends are verified, but we're always going to some form of platform for management of this. So, I think your question is extremely valid. I think it's completely relevant. I just don't think we're quite there yet, but I definitely think that the questions we need to answer, and we need to provide answers to.
Chris Owen (00:59:42):
So, I think we just kind of at the top of the hour there. So, I just wanted to thank you all for your time today. And really thanks for all of the great, great questions. Hopefully, we got them all, but if they're already outstanding, we'll be sure to get back to you in writing on those with our answers. Please feel free to contact us as well. So thank you and enjoy the rest of your days.